diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-01-22 17:00:48 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-22 17:00:48 +0100 |
commit | 9f146b1b54736ec1b683e3a7381c85d10b1a66a3 (patch) | |
tree | dd2ff39128e9aa3ba5bf67c7abc69aa59020f6b7 /libpod | |
parent | 105a42a2a46529312205cf852fa127627f8915e3 (diff) | |
parent | 1951ff168a63157fa2f4711fde283edfc4981ed3 (diff) | |
download | podman-9f146b1b54736ec1b683e3a7381c85d10b1a66a3.tar.gz podman-9f146b1b54736ec1b683e3a7381c85d10b1a66a3.tar.bz2 podman-9f146b1b54736ec1b683e3a7381c85d10b1a66a3.zip |
Merge pull request #4861 from giuseppe/add-cgroups-disabled-conmon
oci_conmon: do not create a cgroup under systemd
Diffstat (limited to 'libpod')
-rw-r--r-- | libpod/container.go | 5 | ||||
-rw-r--r-- | libpod/oci_conmon_linux.go | 13 | ||||
-rw-r--r-- | libpod/options.go | 21 |
3 files changed, 27 insertions, 12 deletions
diff --git a/libpod/container.go b/libpod/container.go index b3cb6334a..f29cebf20 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -373,8 +373,11 @@ type ContainerConfig struct { // Time container was created CreatedTime time.Time `json:"createdTime"` // NoCgroups indicates that the container will not create CGroups. It is - // incompatible with CgroupParent. + // incompatible with CgroupParent. Deprecated in favor of CgroupsMode. NoCgroups bool `json:"noCgroups,omitempty"` + // CgroupsMode indicates how the container will create cgroups + // (disabled, no-conmon, enabled). It supersedes NoCgroups. + CgroupsMode string `json:"cgroupsMode,omitempty"` // Cgroup parent of the container CgroupParent string `json:"cgroupParent"` // LogPath log location diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 0e8a64865..722012386 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1425,11 +1425,22 @@ func startCommandGivenSelinux(cmd *exec.Cmd) error { // it then signals for conmon to start by sending nonse data down the start fd func (r *ConmonOCIRuntime) moveConmonToCgroupAndSignal(ctr *Container, cmd *exec.Cmd, startFd *os.File) error { mustCreateCgroup := true - // If cgroup creation is disabled - just signal. + if ctr.config.NoCgroups { mustCreateCgroup = false } + // If cgroup creation is disabled - just signal. + switch ctr.config.CgroupsMode { + case "disabled", "no-conmon": + mustCreateCgroup = false + } + + // $INVOCATION_ID is set by systemd when running as a service. + if os.Getenv("INVOCATION_ID") != "" { + mustCreateCgroup = false + } + if mustCreateCgroup { cgroupParent := ctr.CgroupParent() if r.cgroupManager == define.SystemdCgroupsManager { diff --git a/libpod/options.go b/libpod/options.go index 8bc5a541d..593037382 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1078,25 +1078,26 @@ func WithLogTag(tag string) CtrCreateOption { } -// WithNoCgroups disables the creation of CGroups for the new container. -func WithNoCgroups() CtrCreateOption { +// WithCgroupsMode disables the creation of CGroups for the conmon process. +func WithCgroupsMode(mode string) CtrCreateOption { return func(ctr *Container) error { if ctr.valid { return define.ErrCtrFinalized } - if ctr.config.CgroupParent != "" { - return errors.Wrapf(define.ErrInvalidArg, "NoCgroups conflicts with CgroupParent") - } - - if ctr.config.PIDNsCtr != "" { - return errors.Wrapf(define.ErrInvalidArg, "NoCgroups requires a private PID namespace and cannot be used when PID namespace is shared with another container") + switch mode { + case "disabled": + ctr.config.NoCgroups = true + ctr.config.CgroupsMode = mode + case "enabled", "no-conmon": + ctr.config.CgroupsMode = mode + default: + return errors.Wrapf(define.ErrInvalidArg, "Invalid cgroup mode %q", mode) } - ctr.config.NoCgroups = true - return nil } + } // WithCgroupParent sets the Cgroup Parent of the new container. |